From 9c30abd4a99c2ec516b2f2b8a6a1697a7fdaa69b Mon Sep 17 00:00:00 2001 From: Joakim Antman Date: Sat, 28 Dec 2024 15:11:24 +0200 Subject: [PATCH] Drop support for HS512256 --- CHANGELOG.md | 1 + lib/jwt/jwa.rb | 6 --- lib/jwt/jwa/hmac_rbnacl.rb | 50 ------------------------- lib/jwt/jwa/hmac_rbnacl_fixed.rb | 47 ------------------------ spec/jwt/jwa/hmac_rbnacl_fixed_spec.rb | 51 -------------------------- spec/jwt/jwa/hmac_rbnacl_spec.rb | 13 ------- spec/jwt/jwt_spec.rb | 6 +-- 7 files changed, 2 insertions(+), 172 deletions(-) delete mode 100644 lib/jwt/jwa/hmac_rbnacl.rb delete mode 100644 lib/jwt/jwa/hmac_rbnacl_fixed.rb delete mode 100644 spec/jwt/jwa/hmac_rbnacl_fixed_spec.rb delete mode 100644 spec/jwt/jwa/hmac_rbnacl_spec.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index bff01cf6..58faa9c5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - JWT::EncodedToken#verify! method that bundles signature and claim validation [#647](https://github.com/jwt/ruby-jwt/pull/647) ([@anakinj](https://github.com/anakinj)) - Require token signature to be verified before accessing payload (Breaking change!) [#648](https://github.com/jwt/ruby-jwt/pull/648) ([@anakinj](https://github.com/anakinj)) +- Drop support for the HS512256 algorithm (Breaking change!) [#650](https://github.com/jwt/ruby-jwt/pull/650) ([@anakinj](https://github.com/anakinj)) - Your contribution here **Fixes and enhancements:** diff --git a/lib/jwt/jwa.rb b/lib/jwt/jwa.rb index 81d808aa..d2d25bc2 100644 --- a/lib/jwt/jwa.rb +++ b/lib/jwt/jwa.rb @@ -20,12 +20,6 @@ require_relative 'jwa/eddsa' if JWT.rbnacl? -if JWT.rbnacl_6_or_greater? - require_relative 'jwa/hmac_rbnacl' -elsif JWT.rbnacl? - require_relative 'jwa/hmac_rbnacl_fixed' -end - module JWT # The JWA module contains all supported algorithms. module JWA diff --git a/lib/jwt/jwa/hmac_rbnacl.rb b/lib/jwt/jwa/hmac_rbnacl.rb deleted file mode 100644 index d553e387..00000000 --- a/lib/jwt/jwa/hmac_rbnacl.rb +++ /dev/null @@ -1,50 +0,0 @@ -# frozen_string_literal: true - -module JWT - module JWA - # Implementation of the HMAC family of algorithms (using RbNaCl) - class HmacRbNaCl - include JWT::JWA::SigningAlgorithm - - def self.from_algorithm(algorithm) - new(algorithm, ::RbNaCl::HMAC.const_get(algorithm.upcase.gsub('HS', 'SHA'))) - end - - def initialize(alg, hmac) - @alg = alg - @hmac = hmac - end - - def sign(data:, signing_key:) - Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt") - hmac.auth(key_for_rbnacl(hmac, signing_key).encode('binary'), data.encode('binary')) - end - - def verify(data:, signature:, verification_key:) - Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt") - hmac.verify(key_for_rbnacl(hmac, verification_key).encode('binary'), signature.encode('binary'), data.encode('binary')) - rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError - false - end - - register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256)) - - private - - attr_reader :hmac - - def key_for_rbnacl(hmac, key) - key ||= '' - raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String) - - return padded_empty_key(hmac.key_bytes) if key == '' - - key - end - - def padded_empty_key(length) - Array.new(length, 0x0).pack('C*').encode('binary') - end - end - end -end diff --git a/lib/jwt/jwa/hmac_rbnacl_fixed.rb b/lib/jwt/jwa/hmac_rbnacl_fixed.rb deleted file mode 100644 index 8f26ccd6..00000000 --- a/lib/jwt/jwa/hmac_rbnacl_fixed.rb +++ /dev/null @@ -1,47 +0,0 @@ -# frozen_string_literal: true - -module JWT - module JWA - # Implementation of the HMAC family of algorithms (using RbNaCl prior to a certain version) - class HmacRbNaClFixed - include JWT::JWA::SigningAlgorithm - - def self.from_algorithm(algorithm) - new(algorithm, ::RbNaCl::HMAC.const_get(algorithm.upcase.gsub('HS', 'SHA'))) - end - - def initialize(alg, hmac) - @alg = alg - @hmac = hmac - end - - def sign(data:, signing_key:) - signing_key ||= '' - Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt") - raise JWT::DecodeError, 'HMAC key expected to be a String' unless signing_key.is_a?(String) - - hmac.auth(padded_key_bytes(signing_key, hmac.key_bytes), data.encode('binary')) - end - - def verify(data:, signature:, verification_key:) - verification_key ||= '' - Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt") - raise JWT::DecodeError, 'HMAC key expected to be a String' unless verification_key.is_a?(String) - - hmac.verify(padded_key_bytes(verification_key, hmac.key_bytes), signature.encode('binary'), data.encode('binary')) - rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError - false - end - - register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256)) - - private - - attr_reader :hmac - - def padded_key_bytes(key, bytesize) - key.bytes.fill(0, key.bytesize...bytesize).pack('C*') - end - end - end -end diff --git a/spec/jwt/jwa/hmac_rbnacl_fixed_spec.rb b/spec/jwt/jwa/hmac_rbnacl_fixed_spec.rb deleted file mode 100644 index e2d0b950..00000000 --- a/spec/jwt/jwa/hmac_rbnacl_fixed_spec.rb +++ /dev/null @@ -1,51 +0,0 @@ -# frozen_string_literal: true - -RSpec.describe 'JWT::JWA::HmacRbNaClFixed' do - subject(:instance) { JWT::JWA::HmacRbNaClFixed.new('HS512256', RbNaCl::HMAC::SHA512256) } - let(:data) { 'test' } - - before do - skip('Requires the rbnacl gem') unless JWT.rbnacl? && !JWT.rbnacl_6_or_greater? - end - - describe '#sign' do - subject(:sign) { instance.sign(data: data, signing_key: signing_key) } - - let(:signing_key) { '*' * (RbNaCl::HMAC::SHA512256.key_bytes - 1) } - - it { is_expected.not_to be_empty } - - context 'when signing_key key is larger than hmac key bytes' do - let(:signing_key) { '*' * (RbNaCl::HMAC::SHA512256.key_bytes + 1) } - - it 'raises length error' do - expect { sign }.to raise_error(RbNaCl::LengthError, a_string_including('key was 33 bytes (Expected 32)')) - end - end - end - - describe '#verify' do - subject(:verify) { instance.verify(data: data, signature: signature, verification_key: verification_key) } - - let(:signature) { instance.sign(data: data, signing_key: signing_key) } - - let(:verification_key) { '*' * (RbNaCl::HMAC::SHA512256.key_bytes - 1) } - let(:signing_key) { verification_key } - - it { is_expected.to be(true) } - - context 'when verification_key key is larger than hmac key bytes' do - let(:verification_key) { '*' * (RbNaCl::HMAC::SHA512256.key_bytes + 1) } - let(:signature) { 'a_signature' } - - it { is_expected.to be(false) } - end - end - - context 'backwards compatibility' do - it 'signs and verifies' do - signature = JWT::JWA::HmacRbNaClFixed.sign('HS512256', 'data', 'key') - expect(JWT::JWA::HmacRbNaClFixed.verify('HS512256', 'key', 'data', signature)).to be(true) - end - end -end diff --git a/spec/jwt/jwa/hmac_rbnacl_spec.rb b/spec/jwt/jwa/hmac_rbnacl_spec.rb deleted file mode 100644 index dc0528bd..00000000 --- a/spec/jwt/jwa/hmac_rbnacl_spec.rb +++ /dev/null @@ -1,13 +0,0 @@ -# frozen_string_literal: true - -RSpec.describe 'JWT::JWA::HmacRbNaCl' do - before do - skip('Requires the rbnacl gem') unless JWT.rbnacl_6_or_greater? - end - context 'backwards compatibility' do - it 'signs and verifies' do - signature = JWT::JWA::HmacRbNaCl.sign('HS512256', 'data', 'key') - expect(JWT::JWA::HmacRbNaCl.verify('HS512256', 'key', 'data', signature)).to be(true) - end - end -end diff --git a/spec/jwt/jwt_spec.rb b/spec/jwt/jwt_spec.rb index 779db969..1e67307c 100644 --- a/spec/jwt/jwt_spec.rb +++ b/spec/jwt/jwt_spec.rb @@ -25,7 +25,6 @@ 'ES256K_public' => test_pkey('ec256k-public.pem'), 'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.', 'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8', - 'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA', 'HS384' => 'eyJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.VuV4j4A1HKhWxCNzEcwc9qVF3frrEu-BRLzvYPkbWO0LENRGy5dOiBQ34remM3XH', 'HS512' => 'eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.8zNtCBTJIZTHpZ-BkhR-6sZY1K85Nm5YCKqV3AxRdsBJDt_RR-REH2db4T3Y0uQwNknhrCnZGvhNHrvhDwV1kA', 'RS256' => 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.eSXvWP4GViiwUALj_-qTxU68I1oM0XjgDsCZBBUri2Ghh9d75QkVDoZ_v872GaqunN5A5xcnBK0-cOq-CR6OwibgJWfOt69GNzw5RrOfQ2mz3QI3NYEq080nF69h8BeqkiaXhI24Q51joEgfa9aj5Y-oitLAmtDPYTm7vTcdGufd6AwD3_3jajKBwkh0LPSeMtbe_5EyS94nFoEF9OQuhJYjUmp7agsBVa8FFEjVw5jEgVqkvERSj5hSY4nEiCAomdVxIKBfykyi0d12cgjhI7mBFwWkPku8XIPGZ7N8vpiSLdM68BnUqIK5qR7NAhtvT7iyLFgOqhZNUQ6Ret5VpQ', @@ -106,10 +105,7 @@ end end - algorithms = %w[HS256 HS384 HS512] - algorithms << 'HS512256' if JWT.rbnacl? - - algorithms.each do |alg| + %w[HS256 HS384 HS512].each do |alg| context "alg: #{alg}" do it 'should generate a valid token' do token = JWT.encode payload, data[:secret], alg